cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
15
Helpful
14
Replies

Cisco Firewall Product Line

lamav
Level 8
Level 8

Hi:

I am looking for a firewall solution that can provide 5-Gbps of IPSec 3DES traffic processing.

The highest of the ASA product line (5580) can handle a maximum of 1-Gbps. I think the reason for this is that, in Cisco's view, the ASA is an enterprise-level appliance. That is also probably why it only supports AC power.

What product line should service providers look for to provide at least 5-Gbps of 3DES traffic and DC power support?

Thanks

Victor

14 Replies 14

Lucien Avramov
Level 10
Level 10

The FWSM module in CAT6k provides you 5.5 GBPS:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet0900aecd803e69c3.html

CAT6k can run of AC or DC or mixed powers:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfa8.shtml#power_red

ASA 5540 is Up to 1.2 Gbps throughput and BTW there is a DC power supply for ASA, not sure what you are referring to that says it does not. The part number is: ASA-180W-PWR-DC

Hi:

Thanks.

The FWSM supports up to 5.5 Gbps of clear text, not IPSec. I dont see the IPSec spec on that data sheet.

Would have to check out the DC power thing. It was a Cisco SE who told me the ASA doesnt support DC.

Give to the SE the part number for the DC power ;)

ASA-180W-PWR-DC

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Victor,

we have recently installed a pair of ASA 5580-40 that have 10Ge interfaces and should be able to process 5 Gbps of traffic.

see

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

We had a major issue with a bug but it has been solved.

Our experience with FWSM is that they don't support really 5 Gbps so we have used failover groups putting different contexts in different failover groups and making FSWM1 active for group1 and FWSM2 active for group2

( a FWSM pair on two C6500 chassis)

Hope to help

Giuseppe

Hi, Giueseppe:

The 10G specification is for clear text throughput. The spec right below that shows Max VPN throughput. Its 1Gbps.

Yes as I said its 1.2 GB on the 5540.

It seems you may more be looking for a VPN module then?

Check out the VPNSM blade that can be added to the FWSM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html

You mentioned the FWSM and that it supports 5 Gbps. Thats clear text, not IPSec. Im asking about IPSec throughput.

[Edit] Now that you edited your response to include the VPNSM, I will edit mine to say that I will look that up. [EDIT] :-)

Thanks

Check my answer: I refer you to the VPNSM module for the IPSEC portion:

Check out the VPNSM blade that can be added to the FWSM:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4221/index.html

The solution you are looking for could be met with a couple of VPNSM modules.

It's very unusual to look for such high rates of IPSEC traffic. Maybe the design should be reviewed and split into a couple of devices.

The problem is that the client runs a Juniper shop, and the Juniper srx-3400 supports up to 10Gbps of IPSec. So a Cisco solution would have to support at least half of that, according to client specs.

For now we support up to 8-80 Gbps on a cat6k switch. Check out that last doc I referred where there is also the ASR1k.

80 GBPS will be with a chassis fully loaded of vpn modules, but technically it's achievable. That will be 8 times that juniper device.

It will boil down to cost, and design. The solution exists.

hello Victor,

sorry I overlooked the table.

if the device has to act as IPSec VPN concentrator you could consider ASR 1006 with ESP 20

a pair of devices should be able to deliver 5 Gbps ipsec each,

see

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/data_sheet_c78-450070.html

Of course VPNSM suggested by Lucien can be attractive if you deploy two C6500 boxes and you need other services / service modules.

Hope to help

Giuseppe

Thanks, G:

Also, here is a complete list of our solutions.

May be the ASR 1k could be the answer in your scenario: 7 GBps of throughput.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72_ns710_Networking_Solutions_Brochure.html

Hope this resolves your questions. Good luck choosing the product meeting your requirements.

Thank you, sir.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: